Environment
Identity Manager Driver - Role-Based Entitlements Service
Situation
Entitlements are not being granted with the Role-Based Entitlements Service driver.
A -603 ERR_NO_SUCH_ATTRIBUTE can be seen in the driver trace.
[08/24/20 17:35:51.416]:rbe ST:method: checkMembershipQueries
[08/24/20 17:35:51.420]:rbe ST:method: cleanup[08/24/20 17:35:51.423]:rbe ST:SubscriptionShim.execute() returned:
[08/24/20 17:35:51.426]:rbe ST:
<nds dtdversion="3.0">
<source>
<product build="20180222_0620" instance="\ID-VAULT-UAT\idv\DriverSet1\Role-Based Entitlements Service" version="4.0.0.0">DirXML Entitlement Service Driver</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="IDV2DDPMILDAP#Publisher#0:3e966c75-faa6-4faf-9a71-fe7db42164ae" level="error" type="app-general">
<description>novell.jclient.JCException: readEntry (JCValue[] form) -603 ERR_NO_SUCH_ATTRIBUTE</description>
<exception class-name="novell.jclient.JCException">
<message>readEntry (JCValue[] form): -603</message>
<stack-trace>novell.jclient.JCException: readEntry (JCValue[] form) -603 ERR_NO_SUCH_ATTRIBUTE
at novell.jclient.JClient.readEntry(Native Method)
at com.novell.nds.dirxml.driver.entitlement.EntitlementSubscriber.checkMembershipQueries(Unknown Source)
at com.novell.nds.dirxml.driver.entitlement.EntitlementSubscriber.determineMembership(Unknown Source)
at com.novell.nds.dirxml.driver.entitlement.EntitlementSubscriber.modifyHandler(Unknown Source)
at com.novell.nds.dirxml.driver.entitlement.EntitlementSubscriber.handleNonSharedProfileObject(Unknown Source)
at com.novell.nds.dirxml.driver.entitlement.EntitlementSubscriber.dispatch(Unknown Source)
at com.novell.nds.dirxml.driver.entitlement.EntitlementSubscriber.execute(Unknown Source)
at com.novell.nds.dirxml.engine.Subscriber.execute(Subscriber.java:473)
at com.novell.nds.dirxml.engine.Subscriber.execute(Subscriber.java:304)
at com.novell.nds.dirxml.engine.Subscriber$AddProcessor.process(Subscriber.java:1623)
at com.novell.nds.dirxml.engine.Subscriber.processEvent(Subscriber.java:1197)
at com.novell.nds.dirxml.engine.Subscriber.processEvents(Subscriber.java:1010)
at com.novell.nds.dirxml.engine.Driver.submitTransaction(Driver.java:901)
at com.novell.nds.dirxml.engine.DriverEntry.submitTransaction(DriverEntry.java:1174)
at com.novell.nds.dirxml.engine.DriverEntry.processCachedTransaction(DriverEntry.java:1058)
at com.novell.nds.dirxml.engine.DriverEntry.eventLoop(DriverEntry.java:866)
at com.novell.nds.dirxml.engine.DriverEntry.run(DriverEntry.java:640)
at java.lang.Thread.run(Thread.java:748)
</stack-trace>
Resolution
The user being used for authentication for the Role Base Entitlement member query either had insufficient rights or an incorrect password. Changing the user to another Admin user corrected the issue.
Note that after specifying a new user in the Search identity field, it does not prompt you for that user's password until you click the test button. So you should change the user in the Search identity field, then click apply and then click the test button to enter the password and verify that the query actually retrieves the users that match your search criteria in the member query results test.
Cause
Invalid credentials specified for the member query of the entitlement policy.